Author: Ethan Hansen

Ethan is a System Administrator turned Security Analyst and monitors Oversight customer environments as part of the Threat Stack SOC. He enjoys following digital breadcrumb trails to their source and has an interest in digital forensics and incident response as it pertains to the Cloud.

When

About This Threat Briefing

Recently, Threat Stack’s Security Operations Center (SOC) uncovered a variation of the Shellbot malware in a public cloud environment. In this active cryptojacking campaign, the sophisticated malware features several layers of obfuscation and continues to be updated with new functionality after it has gained a foothold in an infected environment.

In this briefing, Threat Stack SOC Analyst Ethan Hansen will walk through the details of the newly discovered cryptojacking campaign, including the malware components, actual observed attack path, and the future investigations.

Registration

Free Download

Threat Stack’s Security Operations Center (SOC) recently discovered an ongoing and evolving malware campaign that leverages a new variant of the Shellbot malware discovered by JASK in November 2018 and published in February 2019. (You can read their full report here.)

More often than not we’ll need to go beyond a Severity 1 alert to figure out what a user (including a potentially malicious attacker) was doing on a system. Host events in particular only show a small part of the picture, and a single alert can’t always give you the context necessary to make an escalation decision. This blog post explains how to pivot from a Host event to a user’s session and how to move from a single user-related alert to the user’s session using the data provided by your intrusion detection system.Read more “How to Track Agent-Based User Activity”